For every new phishing URL impersonating a financial institution, there were more than seven impersonating technology companies.

The data was collected throughout 2016 by Webroot, and demonstrates a significant change since 2015, when the ratio was less than one to three. This increase may indicate that it is easier to phish a technology account, and that due to password reuse, they can be more valuable to hackers as a gateway to other accounts.

According to Webroot’s 2017 Threat Report, released at RSA, the top three phishing targets in 2016 were Google, Yahoo and Apple.

Interestingly, Webroot also uncovered a decreasing lifecycle in phishing attacks. The longest-running phishing site was active less than two days, and the shortest was only 15 minutes. A full 84% of all phishing sites were active less than 24 hours.

Aside from the phishing details, the report found that the most important 2016 trend in malware was polymorphism, which is when each instance is unique and undetectable by traditional signature-based security approaches. In fact, approximately 94% of malware and potentially unwanted application (PUA) executables were only seen once.

Ransomware of course continued to be a significant threat, with Locky being the most successful ransomware seen in 2016. In its debut week in February 2016, Locky infected more than 400,000 victims and was one of the first ransomware programs to encrypt unmapped network drives. The FBI estimated that cybercriminals would collect more than $1 billion in ransom in 2016, and Webroot expects ransomware to continue to proliferate in 2017.

“The continued increase in sophistication and volume of phishing attacks, ransomware and polymorphic malware mean we are at greater risk than ever from cybercriminals,” said Hal Lonas, CTO at Webroot. “It’s clear that relying on threat lists, virus signatures, and simplistic rules for protection is wholly insufficient against a threat landscape that is constantly evolving. Proven, real-time machine learning-based analysis that includes an understanding of threat behavior and context is necessary for accurate decision making and protection from today’s threats.”

On the mobile front, nearly 50% of the new and updated mobile apps analyzed in 2016 were classified by Webroot as malicious or suspicious, totaling nearly 10 million during the year. In contrast, just over 2 million such apps were identified during 2015.

As for the threats malicious mobile apps present, adware experienced significant growth, jumping from a negligible share in 2015 to nearly 10% in the second half of 2016. This change is likely due to the Android operating system’s growing market dominance, which makes it a more attractive target for adware. Trojans continue to make up the majority of malicious mobile app threats, holding at 60% from 2015 to 2016.

And finally, throughout 2016, Webroot identified malicious IP addresses from nearly 150 countries. In 2016, 33 million unique malicious addresses appeared on the blacklist, a slight increase over 2015. This indicates that the previous years’ trend is continuing; attackers are changing IP addresses to avoid detection. This is underscored by the fact that over 88% of the top 10,000 malicious IP addresses used in attacks appeared on the list only once.